Breaches of UK data protection laws during 2016 attracted no less than 35 fines totalling £3,245,500. That’s almost double the 2015 total of 18. Now, with just under a year to go until the biggest change in privacy laws for over 20 years, UK organisations risk even larger fines if they fail to ensure compliance with the forthcoming European Union General Data Protection Regulation (GDPR).

PwC has analysed data protection enforcement actions conducted by the Information Commissioner’s Office (ICO) over the past five years, specifically looking at monetary penalties, enforcement notices, prosecutions and legal undertakings. The analysis for 2016 finds that 23 enforcement notices were issued (whereupon organisations are required to take steps to ensure compliance after a data breach). This represents a 155% increase on the nine notices issued during the course of 2015.

The UK was one of the most active regions for regulatory enforcement action in Europe last year, along with Italy (€3.3 million), but whereas the European pattern has seen comparatively low volumes of regulatory enforcement actions (and with low level financial penalties), this is in stark contrast to the US where fines of approximately $250 million were served.

Impact on stakeholder trust

PwC’s recent CEO Survey found that 90% of CEOs around the world believe breaches of data privacy and ethics will have a negative impact on stakeholder trust, so the time to put this top of the agenda is right now before the GDPR becomes law across the EU as of 25 May 2018. From then on, a variety of new compliance obligations will be imposed, including new rules about breach disclosure, data portability and data use consent. Organisations that fail to comply could face penalties of up to 4% of global turnover or €20 million (depending on which is higher).

Stewart Room, PwC’s global cyber security and data protection legal services leader, commented: “At present, the ICO can issue fines of up to £500,000, but with this set to increase to up to 4% of global turnover under the new GDPR, UK organisations must use the remaining time to prepare for compliance ahead of next year.”

Room added: “We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis in order to deliver real operational change. It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what’s essentially a code for good business, wherein privacy by design becomes part of everyday operations?”

Lack of awareness

84% of the UK’s small business owners and 43% of senior executives of large companies are unaware of the forthcoming GDPR. Shred-It’s seventh annual Security Tracker Survey also finds that only 14% of small business owners and 31% of senior executives are able to correctly identify the potential fine associated with the new law. This is despite a large proportion of senior executives (95%) and small business owners (87%) claiming to have at least some understanding of their industry’s legal requirements.

Businesses which are unaware of the forthcoming legislation and its implications are not only putting themselves at risk of severe financial penalties, but also the reputational damage caused by adverse publicity associated with falling foul of the law. This can often have a greater impact than the fine itself. Research shows that 64% of executives agree their organisation’s privacy and data protection practices contribute towards reputation and brand image.

Of those respondents who claim to be aware of the legislative change, only 40% of senior executives have already begun to take action in preparation for the GDPR, in spite of 60% agreeing that the change in legislation would put pressure on their business to change its policies related to information security.

The in-depth survey also highlights that companies feel the UK Government needs to take more action. 41% of small business owners (representing an 8% increase from 2016) believe that the Government’s commitment to information security needs improvement.

Proactive approach needed

Robert Guice, senior vice-president at Shred-It, explained: “As we approach May 2018, it’s crucial that organisations of all sizes begin to take a proactive approach in preparing for the incoming GDPR. From implementing stricter internal data protection procedures such as staff training, internal processing audits and reviews of HR policies through to ensuring greater transparency around the use of personal information, businesses simply must be fully aware of how the legislation will affect their company to ensure that they’re fully compliant.”

Guice concluded: “Government bodies such as the ICO must take a leading role in supporting businesses around GDPR ‘readiness’ by helping them to understand the preparation needed and the urgency in acting now. The closer Government, information security experts and UK businesses can work together, the better equipped organisations will find themselves come next May.”

About the Author

Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications)
Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting.
In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector.
In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award.
An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award.
Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site.
Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media.
Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014.

Contact Sales:

Archive Search

All rights reserved. No part of this website may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system, without permission in writing from the publisher. Content on this website, including materials available for download, are supplied solely for the private use of visitors to this site, and must not be redistributed by third party sites, or as part of any marketing or promotional material, without permission in writing from the publisher.While every care has been taken to ensure accuracy in the preparation of material included in Risk UK (both the hardcopy publications and this website), the publishers cannot be held responsible for the accuracy of the information contained herein, or any consequence arising from it.